I would appreciate your assistance with this, I have previously made this work but this time the lookup fields are not 100% match so I can't figure a way to use a LIKE command here. The only way to do an OR is via multiple lookups. This example takes each row from the incoming search results and then create a new row with for each value in the c field.The other fields will have duplicate. Note: The lookup command can accept multiple lookup and local fields and destfields. Next I have a lookup CSV containing an AD dump that I want to enrich the first search, note the Nickname field follows the same format as the user field from the proxy results fields user, Branch, Group, count lookup ADallusers.csv Nickname as user, DepBranch as Branch, DepGroup as Group. Yes, the lookup command supports multiple fields, but all of the fields are ANDd during the lookup. Note: The UserID on the lookup is not 100% a match to (users) field on the initial search so I think I need to have something like "LIKE" command to compare similar characteristics from my lookup UserID field with users and then filter out the events based on site code (i.e. Each field has the following corresponding values: You run the mvexpand command and specify the c field. dataset () The function syntax returns all of the fields in the events that match your search criteria. There are three supported syntaxes for the dataset () function: Syntax. In my lookup UserID is matched to their dedicated Site, however the current search has Users from all Site which is something I need to filter out. You can use this function in the SELECT clause in the from command and with the stats command. I am trying to do a lookup which matches any one of the field values. For example, I want my timechart to only produce results for site "ABC" where users connected to. I have a csv file that that I am using for a lookup which has multiple values in a particular field. I would like to filter out users based on site. Now my aim is to have a lookup file (User-site.csv) the lookup has 2 fields. Here is a sample of how my search currently look like: index=search "remote access" (host="1.1.1.1" OR host="2.2.2.2" OR host="3.3.3.3") The output is displayed as | timechart span=d dc(users) by host Ive created a table with the required columns from the log files and the next step is to compare the. The log file would have the same column name of lookup file. The requirement is to get the Decisiontype and priority from the csv file by comparing the values of log files. word, otherword will fetch output as interestingword, interestingotherword. Lookups on multivalued fields without mvexpand. I currently have a search that produces "Users" connecting to certain "hosts" whereas the status of connection is "created". The output field name can be LookupFieldNameFullFieldNameFromSearch if in foreach youre passing the full field name, e.g.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |